Authorization Flaw in Hunk Companion Plugin for WordPress
CVE-2024-11972
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 31 December 2024
Badges
Summary
The Hunk Companion WordPress plugin prior to version 1.9.0 exhibits a security weakness related to improper authorization of certain REST API endpoints. This vulnerability allows malicious actors to perform unauthenticated requests, resulting in the potential for unauthorized installation and activation of arbitrary instances of the Hunk Companion plugin directly from the WordPress.org repository. It is crucial for users to upgrade to version 1.9.0 or later to mitigate this issue and protect their WordPress installations from exploitation.
Affected Version(s)
Hunk Companion 0 < 1.9.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting π
Well keep you posted π§
News Articles
Ars TechnicaCVE-2024-11972Critical WordPress plugin vulnerability under active exploit threatens thousands
Vulnerability with severity rating of 9.8 out of possible 10 still live on >8,000 sites.
2 months ago
The Hacker NewsCVE-2024-11972WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins
Attackers exploit Hunk Companion vulnerability (CVE-2024-11972) to install flawed plugins, enabling RCE attacks on 10,000+ WordPress sites. Patch imme
2 months ago
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the
2 months ago
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
- π°
First article discovered by BleepingComputer
Vulnerability Reserved